CODEWITHSUNDEEP
sonarqubecheckstylefindbugspmd
Johnczek
Johnczek

Reputation: 657

Migrating from Checkstyle + PMD + Findbugs to SonarQube

I would like to migrate from Checkstyle + PMD + Findbugs to SonarQube. I´ve read that SonarQube replaces all 3 plugins (and have some new rules in addition). But in my project we have some custom configuration of these plugins, like checkstyle.xml which holds out custom checkstyle rules (At least half of them are custom modified checkstyle rules (like special format of code, filter for rude words, ...).

...
    <module name="RegexpSingleline">
        <property name="format" value="debugger" />
        <property name="message" value="Javascript files must not contain 'debugger' statement" />
        <property name="fileExtensions" value="js" />
    </module>
...

The same things for findbugs

<FindBugsFilter>   
...
    <Match><Bug pattern="XXE_XMLREADER" /></Match> 
...
</FindBugsFilter>

and PMD

...
    <rule ref="category/java/errorprone.xml/AvoidBranchingStatementAsLastInLoop" />
    <rule ref="category/java/errorprone.xml/AvoidDecimalLiteralsInBigDecimalConstructor" />
...

So is there any possibility to analyze current rules, migrate to sonar cube and add new custom rules which are not present in default sonar cube configuration?

The main motivation is to have one instance of sonar cube running on some server and all devs would have installed Sonar plugin in the IDEA which will be connected to that sonar cube instance (so as some auto build from Jenkins etc) so all would use the same rules based on the rules set in current PMD, Checkstyle and Findbugs (in the jenkins build, there are these 3 checks run separately, the ideal solution is to run just sonarqube check)

Upvotes: 6

Views: 4538

Answers (3)

cookiejar
cookiejar

Reputation: 161

Unfortunatly, the import of checkstyle settings into snoarqube does not really work, so it seems one needs to make all the settings manually :-(

https://github.com/checkstyle/sonar-checkstyle/issues/356

Upvotes: 0

Sudheer Singh
Sudheer Singh

Reputation: 654

Use this command to push checkstyle/pmd/cpd/findbugs into SonarQube

Dsonar.java.checkstyle.reportPaths=target/checkstyle-result.xml -Dsonar.java.spotbugs.reportPaths=target/site/findbugs.xml

Upvotes: 0

Simon Schrottner
Simon Schrottner

Reputation: 4744

From my experience there are ups and downs, regarding using just SonarQube and SonarLint, having just checkstyle, PMD and Findbugs and having both.

The benefit of SonarQube itself is, that it shines with a good an easy understandable UI which you can easily integrate into your build pipeline and into your PR Tool.

With SonarLint you also have a good integration into IDEs. But in my opinion it is not suited for git hooks, or fast local verification. We might analyze some classes with SonarLint but not the whole project. Therefor we use the CI/CD.

So those are the benefits of just SonarQube SonarLint. The biggest one is, that you can also have checkstyle PMD and Findbugs within Sonarqube. Those are not supported by SonarLint, but you can use Sonarqube to display the errors of those tools. There are dedicated plugins which are maintained, and which will show you also the errors of the other tools. The downside is that SonarLint is not supporting this plugins.

The sonarqube plugins also sometimes accept reports from outside analysis. eg. Findbugs, you can analyse the code with findbugs, and just provide the report to sonarQube.

But generally speaking, it is possible to migrate those rules. For checkstyle you can import the checkstyle.xml - i am not sure for findbugs and PMD, maybe you need to manually configure them.

Anyways, i would closely evaluate what is important to your build an what not. A checkstyle check via gradle is really fast, where as a sonarqube scanner will run trough and only report at the end. This can be crucial sometimes, if your build resources are limited.

I hope this insight was at least somehow helpful, although it does not 100% cover your question.

Upvotes: 4

Related Questions